At 5:04 PM -0400 10/20/03, Richard Welty wrote:
On Mon, 20 Oct 2003 16:31:45 -0400 "Steven M. Bellovin" <smb@research.att.com> wrote:
A number of people havce responded that they don't want to be forced to pay for a change that will benefit Verisign. That's a policy issue I'm trying to avoid here. I'm looking for pure technical answers -- how much lead time do you need to make such changes safely?
may i suggest another operational issue then?
how does verisign plan to identify and notify all affected parties when changes are proposed?
for example, in the current case, how do they plan to identify every party running postfix and inform them that they need to upgrade their MTA?
this seems non-trivial to me.
Purely from an operational standpoint, it would be a mark of efficiency to have a central repository of who is running what. That would mean that notifications would only be sent to those that need them, and also would provide objective information to determine how many organizations would be affected by a change. In other words, something that actually would be useful. Unfortunately, we have seen Verisign constantly take the position that information they learn through operations is their intellectual property, to be used as they see fit, and generally to be kept proprietary. So if we try to separate operational from policy, we see white-winged ships sail by, carrying data that might be useful, but then have them crash on the rocks of stewardship of the data.